Monday, November 23, 2009

New Malicious iPhone Worm Acts Like Botnet

F-Secure research director Mikko Hypponen posted a warning Sunday night via the F-secure blog warning that there is a new potential threat facing jailbroken iPhones.

Mikko writes "We've received a sample of a malicious iPhone worm with botnet functionality. Like the Ikee worm, it only affects Jailbroken iPhones which have SSH installed and have not changed the default password. This one connects to a web-based command & control center running at in Lithuania. The worm is not widespread, but it is much more serious than the first iPhone worm as it seems to try to steal information from the devices. We're working on full analysis and should have it available later."

The report was orginally broken by the BBC News which reported the new malicious worm is specifically targeting people in the Netherlands who are using their iPhones for internet banking with Dutch online bank ING Direct.

Hypponen confirmed the reports stating, "It's fairly isolated and specific to Netherlands but it is capable of spreading." Adding although the number of infected phones was thought to be in the hundreds rather than thousands, the worm could jump from phone to phone among owners using the same wi-fi hotspot.

According to the BBC a spokesperson for ING Direct said that a warning was going to be put on the bank's official website.

"We are also briefing call center personnel," she added. "It's important to remember that the worm only affects jail-broken phones and it is only aimed at customers in the Netherlands."

Utilizing a fake ING Direct login page, the hackers in control of the "worm" can collect your online banking credentials and, presumably, all the cash within your accounts.

For users infected with the worm their root password will have been changed. According to Paul Ducklin, Sophos's Head of Technology, the original password was 'alpine' but with the worm taking control of your infected phone it has now been changed to 'ohshit'. If you try this log-in and actually get in, you are almost certainly infected with the virus. More details can be found via Ducklin's blog at Sophos.

No comments:

Post a Comment

All comments will be moderate for content, please be patient as your comment will appear as soon as it has been reviewed.

Thank you